1 / 53

Beyond Reactive Management of Network Intrusions

Beyond Reactive Management of Network Intrusions. Professor Sushil Jajodia Center for Secure Information Systems jajodia@gmu.edu http:// csis.gmu.edu/jajodia. Outline. Problem Approach Benefits Challenges. The Perfect Storm. Network configurations are ever more sophisticated

quade
Download Presentation

Beyond Reactive Management of Network Intrusions

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Beyond Reactive Management of Network Intrusions Professor Sushil JajodiaCenter for Secure Information Systemsjajodia@gmu.eduhttp://csis.gmu.edu/jajodia

  2. Outline • Problem • Approach • Benefits • Challenges

  3. The Perfect Storm • Network configurations are ever more sophisticated • Vulnerabilities are becoming more complex • Remediation resources are sparse A total solution is a combination of technology and services I will describe the technology component

  4. Attack Target 160 Vulns 158 Vulns 47 Vulns 107 Vulns Vulnerability Scanner 60 Vulns External Attacker Vulnerability Scanner 41 Vulns 15 Vulns

  5. Limitations of Vulnerability Scanners • Generate overwhelming amount of data • Example Nessus scan • Elapsed time: 00:48:07 • Total security holes found: 255 • High severity: 40 • Low severity: 117 • Informational: 98 • No indication of how vulnerabilities can be combined • Can an outside attacker obtain access to the Crown Jewels? • Where does a security administrator start?

  6. Limitations of IDSs • Generate overwhelming number of alerts • Many false alerts – normal traffic or failed attacks • Alerts are isolated • No indication of how alerts can be combined • Incomplete alert information • Where does a security administrator start? • Is the attacker trying to obtain access to Crown Jewels? • Require extensive human intervention

  7. Summary • Current security measures largely independent • Little synergy among tools • Vulnerabilities considered in isolation may seem acceptable risks, but attackers can combine them to produce devastating results

  8. What is lacking? • “A distributed system is one in which the failure of computer you didn’t even know existed can render your own computer unusable” – Leslie Lamport • Context for total network security • How outsiders penetrate firewalls and launch attacks from compromised hosts • Insider attacks

  9. The reality – security concerns are highly interdependent. Simply Listing Problems Misses the Big Picture!

  10. Penetration Testing • Few experts available • Red teams can be expensive • Tedious • Error-prone • Impractical for large networks • No formal claims

  11. Attack Graphs • An attacker breaks into a network through a chain of exploits where each exploit lays the groundwork for subsequent exploits • Chain is called an attack path • Set of all possible attack paths form an attack graph • Generate attack graphs to mission critical resources • Report only those vulnerabilities associated with the attack graphs

  12. Related Work • Phillips and Swiler NSPW 1998 • Templeton and Levitt NSPW 2000 • Ritchey and Ammann S&P 2000 • Wing, Jha et al. CSFW 2002 • Ammann et al CCS 2002 • Ou et al. CCS 2006 • Sawilla and Ou ESORICS 2008

  13. Linux attack tools NT4.0 Linux IIS wu_ftpd Attacker 10.10.101.10 Firewall Hub Web Server Mail Server 10.10.100.10 10.10.100.20

  14. Reference • Sushil Jajodia, Steven Noel, Pramod Kalapa, Massimiliano Albanese, John Williams, "Cauldron: Mission-centric cyber situational awareness with defence in depth," Proc. MILCOM Conf., Baltimore, MD, November 7-10, 2011.

  15. Minimal-Cost Network Hardening

  16. Solution 1 Solution 1 Solution 1

  17. Solution 1 Solution 1 Solution 1 Solution 2 Solution 2 Solution 2 Solution 2

  18. No impact No impact

  19. Reference • Massimiliano Albanese, Sushil Jajodia, Steven Noel, "A time-efficient approch to cost-effective network hardening using attack graphs," Proc. 42nd Annual IEEE/IFIP International Conference on Dependable and Networks (DSN), Boston, Mass, June 25-28, 2012.

  20. Attack Graph Visualization Problem Even small networks can yield complex attack graphs!

  21. Attack Target External Attacker

  22. Alert Correlation • Correlate alerts to build attack scenarios • For efficient response, this must be done in real time

  23. Related Work • Based on a priori knowledge, such as the prepare-for relationship (Cuppens et al S&P’02, Ning et al CCS’02 CCS’03, etc.) • Based on statistical analysis, such as temporal similarity between alert sequences (Lee et al RAID’03, Dacier et al KDD’02, Valdes et al RAID’01, etc.) • Hybrid approaches (Ning et al ACSAC’04, Lee et al ESORICS’04, Morin et al RAID’02, etc.)

  24. Attack Graph Approach • Provides context for alarms • Can help with forensic analysis, attack response, attack prediction

  25. Hypothesizing and Predicting Alerts • Correlation based on the prepare-for relationship is vulnerable to alerts missed by IDSs - Reassembling a broken attack scenario is expensive and error-prone • By reasoning about the inconsistency between the knowledge (encoded in attack graph) and the facts (represented by received alerts), missing alerts can be hypothesized • By extending the facts in a way that is consistent with the knowledge, possible consequences of current attacks can be predicted

  26. Reference • Lingyu Wang, Anyi Liu, Sushil Jajodia, "An efficient and unified approach to correlating, hypothesizing, and predicting network intrusion alerts," Proc. 10th European Symposium on Research in Computer Security (ESORICS), Springer Lecture Notes in Computer Science, Vol. 3679, September 2005, pages 247-266.

  27. Two Sides of Security Predictive Monitoring/Management • Just what is “predictive? • Common Operating Picture • Situational Awareness • I have 700 vulnerabilities – now what?!? Plus more than 60 other vendors 3 vendors “Put my problems/my risks in context”

  28. Our Approach • Network Capture • builds a model of the network • represents data in terms of corresponding elements in Vulnerability Reporting and Exploit Specifications • Vulnerability Database • a comprehensive repository of reported vulnerabilities • Graph Engine • simulates multi-step attacks through the network, for a given user-defined Attack Scenario • analyzes vulnerability dependencies, matching exploit preconditions and post-conditions • generates all possible paths through the network (for a given attack scenario) Aggregate / Correlate / Visualize

  29. Benefit from Synergies • Common Operating Picture • Situational Awareness • Patching servers vs changing firewalls • Combined vulnerabilities are real Vulnerability Scans Firewalls Patch Mgmt/Asset Mgmt Other Where do I need to focus my resources?!

  30. Toolbars Overall Graph Hardening Recommendations Graph Elements Main Attack Graph View Hardening Log Exploit Details Exploit Field

  31. Unconstrained Start/Goal

  32. Constrained Start Attack Start

  33. Constrained Start and Goal Attack Goal Attack Start

  34. Direct Paths Attack Start Attack Start Attack Goal

  35. First-Layer Recommendation Harden

  36. Last-Layer Recommendation Harden Harden

  37. Minimum-Effort Recommendation Harden Harden

  38. Security Metrics Network Hardening CAULDRON has Numerous Applications Alarm Correlation And Attack Response Sensor Placement

  39. Summary of CAULDRON • Automated analysis of all possible attack paths through a network • Resulting attack “roadmap” provides context for optimal defenses • Transforms volumes of isolated facts into manageable, actionable results • Integrates with existing tools for capturing network configuration • Your network is provably secure, with minimum effort • A useful tool for making informed decisions about network security

  40. Zero-day Attacks • Lingyu Wang, Sushil Jajodia, Anoop Singhal, Steven Noel, "k-Zero day safety: Measuring the security risk of networks against unknown attacks," Proc. 15th European Symp. on Research in Computer Security (ESORICS), Springer Lecture Notes in Computer Science, Vol. 6345, 2010, pages 540-557.

  41. Cyber Situation Awareness • An ever increasing number of critical applications and services rely on Information Technology infrastructures • Increased risk of cyber attacks • Increased negative impact of cyber attacks • Attackers can exploit network configurations and vulnerabilities (both known and unknown) to incrementally penetrate a network and compromise critical systems • Manual analysis is labor-intensive and error-prone • Vulnerabilities are often interdependent, making traditional point-wise vulnerability analysis ineffective • Services and machines on a network are interdependent • Need for tools that provide analysts with a “big picture” of the cyber situation

  42. CSA Capabilities: Enterprise Network Web Server (A) Evolution. How is the situation evolving? Can we track all the steps of an attack? Current situation. Is there any ongoing attack? If yes, where is the attacker? Impact. How is the attack impacting the enterprise or mission? Can we asses the damage? Behavior. How are the attackers expected to behave? What are their strategies? Catalog Server (E) DB Server (G) Forensics. How did the attacker create the current situation? What was he trying to achieve? Local DB Server (B) Internet Mobile App Server (C) Information. What information sources can we rely upon? Can we assess their quality? Order Processing Server (F) Local DB Server (D) Prediction. Can we predict plausible futures of the current situation? Scalability. How can we ensure that solutions scale well for large networks?

More Related